Color me surprised: the number of breaches at the Department of Health and Human Services website is understated, possibly on a massive scale. This is according to an article at modernhealthcare.com. As many know, the Data Breach Rule under the HITECH Act mandates the notification of data breaches to patients when PHI is lost or stolen and is not protected with encryption software. Hence the increased use of laptop encryption software like AlertBoot in medical settings such as hospitals and clinics. The HITECH Act also required the HHS to make public any breaches that involve 500 or more patients somewhere on their website. First, there are "tens of thousands" of breach reports pending to be released as the OCR investigates them. This doesn't really come as a surprise, since many have pointed out (and I've personally experienced) instances where a HIPAA breach makes it to the news but a checkup on the Wall of Shame doesn't show anything. In fact, the figure of "tens of thousands" isn't surprising because the HHS is supposed to get an annual consolidated report of any breaches involving less than 500 people from each covered-entity that is affected. What is surprising, though, is that they're being "hidden" while being investigated (hidden as in, the HHS won't release copies to journalists, etc.). What's to investigate? I mean, is someone going to claim a breach when there wasn't one? Second, and this is what surprises me, the OCR's posted breach numbers are low. Again, from modernhealthcare.com: A Nov. 4 public notice on a breach reported by the UCLA Health System states that "some personal information on 16,288 patients" was stolen, but the wall of shame lists the "individuals affected" in the UCLA incident as 2,761. UCLA spokeswoman Dale Tate said in an e-mail that the nearly six-times-larger number in its notice "represents the number of individuals who had some information on the hard drive," while the 2,761 figure sent to the OCR "represents the number of people that met the specific criteria" under the federal breach notification rule. Under the federal rule, Tate says, "the information for these individuals could possibly cause more than a minimal amount of financial, reputational or other harm." Information on the rest of the individuals, Tate said, did not meet the criteria. I wasn't aware that the HIPAA / HITECH guidelines had a set of criteria for protected health information. As far as I can tell, pretty much any data a medical organization collects from a patient is PHI -- be it their SSN, medical ID, address, phone number, hospital room number, eye color, etc. There's very little that's not PHI. In fact, as I recall it, the rule on what's not PHI is not about "what type of data is it" (ID numbers, account numbers, medical tests, etc.) as much as it's about data protection: encrypted PHI is, for all intents and purposes, not PHI. Likewise for anonymized / deidentified data. And destroyed data, of course. Otherwise, it's all PHI. I don't see why UCLA is reporting two sets of numbers. The last time I heard about such practices, a person went to jail. In Alcatraz (yeah, I know, it's not the same thing. I'm just saying...).
Color me surprised: the number of breaches at the Department of Health and Human Services website is understated, possibly on a massive scale. This is according to an article at modernhealthcare.com. As many know, the Data Breach Rule under the HITECH Act mandates the notification of data breaches to patients when PHI is lost or stolen and is not protected with encryption software. Hence the increased use of laptop encryption software like AlertBoot in medical settings such as hospitals and clinics.
The HITECH Act also required the HHS to make public any breaches that involve 500 or more patients somewhere on their website.
First, there are "tens of thousands" of breach reports pending to be released as the OCR investigates them. This doesn't really come as a surprise, since many have pointed out (and I've personally experienced) instances where a HIPAA breach makes it to the news but a checkup on the Wall of Shame doesn't show anything. In fact, the figure of "tens of thousands" isn't surprising because the HHS is supposed to get an annual consolidated report of any breaches involving less than 500 people from each covered-entity that is affected.
What is surprising, though, is that they're being "hidden" while being investigated (hidden as in, the HHS won't release copies to journalists, etc.). What's to investigate? I mean, is someone going to claim a breach when there wasn't one?
Second, and this is what surprises me, the OCR's posted breach numbers are low. Again, from modernhealthcare.com:
A Nov. 4 public notice on a breach reported by the UCLA Health System states that "some personal information on 16,288 patients" was stolen, but the wall of shame lists the "individuals affected" in the UCLA incident as 2,761. UCLA spokeswoman Dale Tate said in an e-mail that the nearly six-times-larger number in its notice "represents the number of individuals who had some information on the hard drive," while the 2,761 figure sent to the OCR "represents the number of people that met the specific criteria" under the federal breach notification rule. Under the federal rule, Tate says, "the information for these individuals could possibly cause more than a minimal amount of financial, reputational or other harm." Information on the rest of the individuals, Tate said, did not meet the criteria.
A Nov. 4 public notice on a breach reported by the UCLA Health System states that "some personal information on 16,288 patients" was stolen, but the wall of shame lists the "individuals affected" in the UCLA incident as 2,761.
UCLA spokeswoman Dale Tate said in an e-mail that the nearly six-times-larger number in its notice "represents the number of individuals who had some information on the hard drive," while the 2,761 figure sent to the OCR "represents the number of people that met the specific criteria" under the federal breach notification rule.
Under the federal rule, Tate says, "the information for these individuals could possibly cause more than a minimal amount of financial, reputational or other harm." Information on the rest of the individuals, Tate said, did not meet the criteria.
I wasn't aware that the HIPAA / HITECH guidelines had a set of criteria for protected health information. As far as I can tell, pretty much any data a medical organization collects from a patient is PHI -- be it their SSN, medical ID, address, phone number, hospital room number, eye color, etc. There's very little that's not PHI.
In fact, as I recall it, the rule on what's not PHI is not about "what type of data is it" (ID numbers, account numbers, medical tests, etc.) as much as it's about data protection: encrypted PHI is, for all intents and purposes, not PHI. Likewise for anonymized / deidentified data. And destroyed data, of course.
Otherwise, it's all PHI. I don't see why UCLA is reporting two sets of numbers. The last time I heard about such practices, a person went to jail. In Alcatraz (yeah, I know, it's not the same thing. I'm just saying...).
Related Articles and Sites:http://www.modernhealthcare.com/article/20111222/BLOGS02/312229963/year-closes-on-a-note-of-breach-shame